Enlocked Provides Email Security for Small Business

We review Enlocked, an email security product that lets small businesses exchange secure emails with customers without cumbersome technical requirements or a hefty price tag.

Email, much like the old-fashioned postal mail that it's all but displaced, isn't a secure way to communicate. For both paper and electronic mail, messages make many stops en route from sender to recipient, and each point in that journey represents another opportunity for someone to intercept a message and make off with any sensitive information it might contain. Indeed, in many ways it's easier to misappropriate an email than the dead tree-variety, and to do so without the knowledge of either party.

Simply put, to communicate securely over email, messages must be encrypted. But doing so typically requires special infrastructure, setup procedures and software—in short, a general level of expertise, effort and expense that puts it out of the reach of most professionals and small businesses.

Enlocked aims to make secure communication via encrypted email almost as simple and cost-effective as using ordinary email, and for the most part, it hits the mark.

Getting Started with Enlocked

First, set up an account (which is free) on the Enlocked website. Enlocked supports OpenID authentication, though, so if you use one of the four major Web-based email providers—AOL, Gmail, Yahoo or Microsoft's Hotmail/Live Mail/Outlook.com (or whatever they decide to rename it next) logging into one of those services also automatically creates your Enlocked account and logs you into it.

Once Enlocked knows who you are, downloading the appropriate plug-in for your mail client or Web browser lets you compose an email just as you normally would, but it adds a "Send Secure" button to your compose message interface. Enlocked provides plug-ins for Outlook 2007/2010 as well as Internet Explorer, Chrome, Firefox and Safari; plug-ins for Mozilla Thunderbird and Apple's Mac OS X mail program are currently under development.

If you use a mail client or provider other than the ones listed above—or you're just not in the position to install the plug-in/app on the computer you're using—you can use Enlocked's own Enlocked Anywhere browser-based app.

When you send a message securely via Enlocked, it arrives at the recipient's inbox with an introduction, which you can customize when you send your message, explaining that the message is secure and can be read by visiting Enlocked's website or downloading one of the aforementioned plug-ins. The actual message contents are contained within an encrypted attachment. If recipient already has an Enlocked plug-in, it automatically decrypts the message contents.

Enlocked provides (free) apps for mobile devices as well. Android and iOS are currently available, and the company is also working on an app for BlackBerry. All Enlocked plug-ins and apps can be found here.

How Enlocked Secure Email Works

When you click that "Send Secured" button, the outgoing message gets transferred to Enlocked servers to be encrypted (the message is transmitted via a secure SSL connection and then encrypted using PGP), then Enlocked puts the encrypted message back into your email account's outbox for delivery.

Figure 2: When someone receives an Enlocked message for the first time, an introductory message instructs them how to access and decrypt the contents.

It's worth noting that because Enlocked encrypts messages on its own computers rather than on the sender's computer, it doesn't provide the end-to-end encryption (i.e. information is encrypted before leaving its point of origin) that you get with some—usually more complicated-- mail encryption products and services.

Alas, this is the price to be paid for Enlocked's comparative ease of setup and use. Although lack of end-to-end encryption may be a problem if you're bound by certain governmental privacy regulations or you're conducting, um, clandestine operations for the CIA, for most users, Enlocked's level of security should be more than sufficient.

Note that even though messages are not encrypted en route to Enlocked, they are still transmitted over an encrypted connection (SSL). The company says it doesn't retain any messages, and that it discards them as soon as they're encrypted.

Incidentally, maximum message size is limited to 10MB, which is less than what most email providers impose (usually 25 MB). Although 10 MB is probably sufficient for most people most of the time, it's not hard to envision lengthy legal or financial documents that could weigh in somewhat larger. Enlocked says it's open to increasing the message size based on customer feedback.

Our Out-of-(In)Box Experience

During our testing, we used Enlocked's IE, Chrome, and Outlook plug-ins—plus the Android app on a Samsung Galaxy S3—with several different mail accounts. We found that sending and receiving secure emails with them was as easy as the company purports it to be. Presumably owing to transmission and encryption overhead, we noticed a delay of about 5 to 10 seconds between the time we clicked a Send Secured button and when the message was reported as sent, but it wasn't particularly onerous.

We did encounter a handful of (mostly minor) glitches while using Enlocked. For example, the Internet Explorer plug-in failed to display the Send Secured button in Gmail due to some changes Google had recently made to the message compose interface. Enlocked was working on a fix that should be available by the time you read this, and we used the Chrome extension as a temporary workaround.

We also encountered a situation where an Enlocked message that we sent to a Microsoft Exchange-based corporate email address bounced back because the mail server's security filter rejected the encrypted attachment. This suggests that some organizations may require mail policy tweaks to accept Enlocked messages.

Figure 3:Enlocked works with any email provider, but it integrates authentication with the major Webmail providers so you don't have to log into Enlocked separately from your email account.

Enlocked's Outlook plug-in also has a feature that turned out to be a mixed blessing. By default, it has a "Send Override" feature to warn you if simply click Send rather than Send Secure when your message contains certain keywords such as "account" or "confidential", and it gives you the option to send securely instead.

You'd think that would be helpful, but given the wide proliferation of those silly email disclaimers that deem every communication as confidential and admonish you delete any message you receive by mistake, we found that the Send Override feature flagged so many outgoing messages that we needed to turn it off to save our sanity. (Unfortunately, there's no way to customize or even view the list of keyword triggers.)

Additional Features

Enlocked's encryption isn't necessarily limited to new messages. If you're using the service with one of the Web-based mail providers, you can use an additional feature called EnSafe to encrypt the contents of any/all of your existing mail folders. There is also the option to assign a secondary password to Enlocked—in addition to the one you use to log into your email account—which can protect access to your encrypted messages in the event your email password is compromised (or you tend to leave your email on an unlocked and unattended computer).

In addition, you can download the public and private encryption keys Enlocked generates for you, in order to access your messages offline or with other PGP-compatible utilities.

Pricing

As of this writing, Enlocked is free to use on an all-you-can-eat basis, but come January 2013, the company will offer one free and two paid tiers of service. The gratis version will permit you to send a maximum of 10 encrypted messages a month and read an unlimited number of them. A Basic subscription bumps the send limit up to 100 messages per month for $9.99/mo. or $99 annually, while a Professional subscription increases it further to a hefty 2,000 monthly messages for $19.99/mo. or $199 annually.

Enlocked says it will provide a mechanism to allow an IT or other responsible person to purchase and administer the service for a company's employees, but that capability wasn't yet ready while we were testing.

The Bottom Line

Enlocked promises secure email with minimal extra cost and technical hassle, and despite a few glitches, it largely delivers. Any small business or professional looking for an easy way to communicate securely with customers/clients over email should give it a try.

Price: Free for unlimited reading and to send up to 10 messages per month; or pay $9.99 per month to send 100 or $19.99 to send 2,000 messages.